Aadhaar hit by another data leak, UIDAI refutes

India’s national identification database Aadhaar has been hit by a data breach if reports from ZDNet are to be believed. The report claims this issue was brought to the notice of the Indian government over a month ago, but no action has been taken yet to fix the issue. The data vulnerable to the leak includes personal information of users, Aadhaar number, as well as the names of banks in which they have accounts.

According to the ZDNet report, the vulnerability was discovered by Delhi-based security researcher Karan Saini who said that anybody with an Aadhaar number is affected. The report mentions, “The API’s endpoint – a URL that we are not publishing – has no access controls in place. The affected endpoint uses a hardcoded access token, which, when decoded, translates to ‘INDAADHAARSECURESTATUS’, allowing anyone to query Aadhaar numbers against the database without any additional authentication.”

In response to the claims made by UIDAI regarding the #Aadhaar story, here’s a video demonstrating the enumeration of the endpoint and exposure of Aadhaar information on Indane’s website https://t.co/Jhb72T1QU5

Saini also found that the API didn’t have any rate limiting in place, allowing an attacker to cycle through every permutation — potentially trillions — of Aadhaar numbers and obtain information each time a successful result is hit. He explained that it would be possible to enumerate Aadhaar numbers by cycling through combinations, such as 1234 5678 0000 to 1234 5678 9999. Worryingly, it is not only consumers registered with the utility service that are reported to be at risk, but all Aadhaar users.

While all this is going on, Unique Identification Authority of India(UIDAI) has dismissed the reports about the security lapse. The agency said, “There has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure. Even if the claim purported in the story were taken as true, it would raise security concerns on the database of that utility company and has nothing to do with the security of UIDAI’s Aadhaar database.”